OK, now I see it... Thank god I switched to ESE based scanning! Now, has anyone actually seen this happen when using AVAPI. We all know it will always happen with MAPI.
-----Original Message----- From: Martin Blackstone Sent: Monday, December 10, 2001 8:59 AM To: Exchange Discussions Subject: RE: MS says antivirus not effective on Exchange 5.5: must buy E20 00 As far as I can tell MS is saying no such thing. Russ is saying it. -----Original Message----- From: Alverson, Thomas M. [mailto:[EMAIL PROTECTED]] Sent: Monday, December 10, 2001 8:59 AM To: Exchange Discussions Subject: MS says antivirus not effective on Exchange 5.5: must buy E2000 MS is now saying that even the AVAPI mode of exchange 5.5 can let viruses slip through under load. The only solution is to upgrade to Exchange 2000. >From NTBUGTRAQ: ============================================================================ =================== Message from NTBUGTRAQ mailing list shown below: ============================================================================ =================== No real news for some, but the recent waves of mass mailers have once again demonstrated how Exchange Server 5.5 plus an Anti-Virus product may not do an effective job at handling mass mailers. But don't blame your Anti-Virus vendor, the problem comes when the Exchange Server 5.5 is put under load. How much load? Nobody seems to be able to say for sure. However, when under sufficient load Exchange Server 5.5 will simply not notify the AV product there's a message to scan, and instead pass it through to the recipient. Prior to Exchange Server 5.5 SP3, AV Vendors used MAPI-based scanning. However, Microsoft's KB article Q263949 says; http://support.microsoft.com/default.aspx?scid=kb;en-us;Q263949 "If you select MAPI-based scanning, be aware that the vendor's software may not scan all attachments because first and exclusive access is not guaranteed." SP3 introduced the Virus Scanning API 1.0, and many vendors provided support for it because it was more reliable. But Microsoft have acknowledged that even VSAPI 1.0 can't always handle the load of an internal infection, and rather than losing messages, sends them through without notifying the AV product. Exchange Server 2000 SP1, with its VSAPI 2.0, says; http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q285667 "The enhancements to the virus scanning API that are included in Exchange 2000 Server SP1 represent the next step in the evolution of the commitment that Microsoft has made to protecting customer investment. These new features, known as virus scanning API 2.0, fulfill many of the shortcomings of virus scanning API 1.0." You gotta love it, "the next step in the evolution of the commitment"...;-] So the commitment is evolving to, presumably eventually, actually let customers protect themselves...but we're not there yet. AV Vendors are strongly urging their customers to switch to Exchange Server 2000. Microsoft say they have no plans to make VSAPI 2.0 available for Exchange Server 5.5, so to get secure, upgrade. The number of times customers have actually been bitten by this problem is unknown, suffice it to say it doesn't happen often. Reports I've received indicate that the load required to make Exchange Server 5.5 start missing infected messages (or messages with attachments that have been indicated should be stripped) comes about as a result of one, or more, mass-mailers active in your internal network. For example, someone uses a web-based mail service and opens an email/attachment that invokes a mass-mailer. Once the mass-mailer starts bombing the Exchange Server 5.5, depending on the hardware, it can then get to a point where the load is great enough to cause it to miss inbound messages. Using the Outlook Email Security Update or Outlook 2002, both of which prevent mass-mailers from programmatically accessing the Exchange Addresses, can help to prevent infections that occur outside of the normal AV path. Using client-side AV products can also help. Consider also putting a second network adapter on your Exchange Server(s). If internal clients connect to one adapter, and the infrastructure to the other, you can more easily disconnect your clients from the Exchange Server should you detect its under load. Minimizing what your Exchange Server is doing also helps, size it appropriately and don't use it for anything else. Consider also putting your AV product on its own box. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor ============================================================================ Delivery co-sponsored by VeriSign - The Internet Trust Company ============================================================================ Protect your servers with 128-bit SSL encryption! Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will learn everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here! http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000 ============================================================================ _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]